openSUSE:Package source verification
Package Source Verification
Why
The Open Build Service and the openSUSE distribution projects (Tumbleweed and Leap) are made of thousands of packages from numerous upstream sites.
Generally, software is packaged in "good faith", relying on the upstream not to add malicious code in their software releases. However, occasionally there have been hackers trying to backdoor released software tarballs.
As during the regular package integration of packages it is very hard and even impossible for us to review all the changes in upstream tarballs, we want to rely on some form of integrity guarantee from the upstream communities. The most suitable established process on relying is signing the released tarballs using GPG (GNU Pretty Good Privacy).
A large number of projects already do so to provide us with an established means to automatically check these signatures.
Source including verification
The GPG signature and the GPG keyring is included alongside the source package, and listed in its sources.
So looking at GNU Hello (RPM package "hello"):
Source0: http://ftp.gnu.org/pub/gnu/hello/hello-%{version}.tar.gz Source1: http://ftp.gnu.org/pub/gnu/hello/hello-%{version}.tar.gz.sig Source2: %{name}.keyring
The source URL given must be valid and the file must also be included as a local copy in the OBS repository. This is because when the package is submitted to Factory, the source files will be downloaded again and verified against the uploaded version.
If you wish to rename a source file, use the following URL syntax (where the file is uploaded to OBS as "some-other-name-%{version}.tar.gz"):
Source0: http://ftp.gnu.org/pub/gnu/hello/hello-%{version}.tar.gz#/some-other-name-%{version}.tar.gz
Source without verification
If the source URL no longer exists (is "dead") or the tarball has to be modified before uploading for some reason, just list the name of the package in the "Source:" tag. Make sure to leave a comment about where you last retrieved the file from or how to recreate the modified tarball.
# URL no longer exists, last downloaded from http://example.com/mypackage-v0.5.9.tar.xz on 22 Nov 2016 Source: mypackage-v%{version}.tar.xz
Creating a .keyring file
In order to create a keyring file, you must have imported the public key that corresponds to the key used to sign the release.
The keyring should be retrieved from a reliable source (usually from the website). If possible, comment the URL where you got it from, placing it above the Source line in the .spec file.
You can also verify if the key is in the GPG web of trust and chain to more accounts, although this is usually lacking.
It is very important that this key comes from a trusted source and is not a malicious key -- please use due diligence in verifying this.
Any changes to the keyring should be documented in the .changes file of the package to avoid replacement with bad keys.
The keyring file can just be whatever GPG could import, like an exported public keyring. The common mypackage.asc can just be copied to the mypackage.keyring as-is.
Please, don't mistake it with e.g. mypackage-version.tar.gz.asc that will contain a PGP signature, not a PGP public key block. An example is ModemManager, where we can see the file 0xAECE0239C6606AD5.asc, that contains the latest public PGP key for ModemManager, currently (2022-11). In the same directory we can see many .asc files, such as ModemManager-1.18.12.tar.xz.asc, that corresponds to a tarball of same name without the .asc extension, ModemManager-1.18.12.tar.xz in this example.
If possible use the exact copy from the software provider, and specify the download URL or location in the spec file, similar to the Sources tag.
If you are downloading the public key from a GPG keyserver, verify that it really is the correct key and then use:
$ gpg --export -a KEYID > mypackage.keyring
Validating signature in source tag (recommended)
As the method during build takes time to check and also pulls in GnuPG in the build dependencies, we have implemented the checking of the signatures in the "source_validator" service (in the "obs-service-source_validator" RPM).
This service is not just run during package check in, but also by the factory bot checking scripts. The script checks the signatures against the %name.keyring file in the source directory. It can handle .asc and .sig(n) extensions of the tarballs.
If the signature does not validate, the checkin or the submission will be declined.
You can run it locally on your submissions using:
$ osc service runall source_validator
The code lives in the obs-service-source_validator RPM package, in the script /usr/lib/obs/service/source_validators/25-keyring-validate.